Hello Kitty: The SanrioTown website has been breached, possibly revealing data on children, according to a researcher

Details on 3.3 million users of SanrioTown, Sanrio’s official website for Hello Kitty and other characters, have been leaked online following what appears to be a breach of the website’s database, according to a security researcher.

Sanrio’s products are popular with children, meaning it is likely children’s details are included in the database, although Sanrio did not immediately respond to a request to confirm this.

Personal data

Chris Vickery contacted industry journal CSO regarding the breach late on Saturday and also reported the breach to Databreaches.net, the journal reported.

The records include names, birth dates, gender, country of origin, email address, lightly protected passwords, and password hint questions and answers, according to Vickery.

He said the passwords were stored as hashes using SHA-1 encryption, which is considered relatively easy to reverse. The hashes didn’t include “salts” of random data, a way of improving protection, Vickery said.

The inclusion of password recovery data means the passwords should be considered as compromised, according to security experts, who advised users to reset their passwords and to change passwords that might have been reused on other sites.

The database also included the details of users who registered on a number of other Sanrio websites, including hellokitty.com and mymelody.com.

Investigation

Sanrio said it is looking into the incident.

“The alleged security breach of the SanrioTown site is currently under investigation,” the company said in a statement. “Information will be made available once confirmed.”

SanrioTown is operated by Hong Kong-based Sanrio Digital and hosts games and community forums related to Sanrio products.

The breach follows that of toy maker Vtech less than a month ago, which leaked 11 million users’ data, including that of nearly 6.4 million children.

Such data can be used in identity theft, according to industry observers.

Earlier this year Sanrio confirmed a database leak that exposed information on more than 6,000 of its shareholders.